This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.

« Network Connection via Signed Binary Network Traffic to Rare Destination Country »

› › ›

Network Logon Provider Registry Modification

edit

Network Logon Provider Registry Modification

edit

Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.

Rule type: eql

Rule indices:

logs-endpoint.events.*
endgame-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Elastic
Host
Windows
Threat Detection
Persistence
Credential Access
Elastic Endgame

Version: 101 (version history)

Added (Elastic Stack release): 7.13.0

Last modified (Elastic Stack release): 8.6.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

Authorized third party network logon providers.

Rule query

edit

registry where registry.data.strings != null and registry.path : (
"HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\NetworkProvider\\ProviderPat
h", "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\Netwo
rkProvider\\ProviderPath" ) and /* Excluding default
NetworkProviders RDPNP, LanmanWorkstation and webclient. */ not (
user.id : "S-1-5-18" and registry.data.strings in
("%SystemRoot%\\System32\\ntlanman.dll",
"%SystemRoot%\\System32\\drprov.dll",
"%SystemRoot%\\System32\\davclnt.dll") )

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Modify Authentication Process
- ID: T1556
- Reference URL: https://attack.mitre.org/techniques/T1556/
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Create or Modify System Process
- ID: T1543
- Reference URL: https://attack.mitre.org/techniques/T1543/

Rule version history

edit

Version 101 (8.6.0 release)

Updated query, changed from:

registry where registry.data.strings != null and registry.path : "HKL
M\\SYSTEM\\*ControlSet*\\Services\\*\\NetworkProvider\\ProviderPath"
and /* Excluding default NetworkProviders RDPNP, LanmanWorkstation
and webclient. */ not ( user.id : "S-1-5-18" and
registry.data.strings in
("%SystemRoot%\\System32\\ntlanman.dll",
"%SystemRoot%\\System32\\drprov.dll",
"%SystemRoot%\\System32\\davclnt.dll") )

Version 100 (8.5.0 release)

Formatting only

Version 4 (8.4.0 release)

Formatting only

Version 3 (8.2.0 release)

Formatting only

Version 2 (8.1.0 release)

Formatting only

« Network Connection via Signed Binary Network Traffic to Rare Destination Country »